Managing Cyber-Identity, Authorization and Trust (and their inter-relationships)

1. Managing Cyber-Identity, Authorization and Trust(and their inter-relationships) Prof. Ravi Sandhu Laboratory for Information Security Technology George Mason University www.list.gmu.edu sandhu@gmu.edu

2. Problem Drivers and Consequences PROBLEM DRIVERS • Uncertain threat: We always fight the last war • Technological change: B2B integration, Pervasive (ubiquitous) computing, Peer-to-peer, grid and utility computing, Intel’s LaGrande and Microsoft’s Longhorn, the next Intel, Microsoft, Cisco, … • Business change: Outsourcing/globalization, Cost/ROI, federated identity (relying party is NOT the identity provider), identity grades (identity vetting, authentication strength, purpose, privacy all vary) CONSEQUENCES • The 3-decade old problem of managing identity, authorization and trust is rapidly becoming more difficult, challenging and essential • Real progress requires radical shifts in our approach and fundamental advances in basic research

3. Radical Shifts: get real Focus on • what needs to be done rather than how it is to be done • real-word business requirements rather than hypothetical academic scenarios • the 80% problem rather than the 120% problem • soft and informal rather than hard and formal • constructing the policy rather than auditing the policy • constructive safety viapolicy articulation and evolutionrather than post-facto algorithmic safety • ordinary consumers as end-users and administrators rather than techno-geeks or math-geeks

4. Radical Shifts: good enough beats perfect Real-world users Security geeks SECURE EASY COST System owner